We've found an issue with Bitbucket cloud, where any user with write permissions has the ability to export the runtime secrets, including workspace / repository / deployment secrets, to an artifact. Like so:
1. A user with write access creates a new branch from the main branch.
2. That user then modifies the bitbucket-pipelines.yml file, and adds a step similar to this:
...
steps:
- printenv | tee output.txt
...
artifacts:
paths:
output.txt
3. Then that user can push the changes, and within that branch execute the step, and download the artifact, revealing all of the secrets.
How do you prevent this kind of leakage?
Hi Tim,
We mention this in our documentation here:
Workspace variables can be accessed by all users with write permission for any repository (private or public) that belongs to the team or account.
Pipelines variables added at the repository level can be used by any user who has write access in the repository.
There is no way to prevent this for workspace and repository variables. However, it is possible to restrict access to deployment variables to admins only:
If your workspace is on the Premium plan, you can enable this option for certain or all deployment environments. If someone who is not an admin triggers a pipeline to an environment that has this feature enabled, the build will get paused.
An admin of the repo can resume a paused build or do nothing. Selecting the cog icon from the following screenshot in the paused build, will show you the yml file for the commit/branch that triggered the pipeline:
Kind regards,
Theodora
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.